FWSM 3.1(4) capture only showing traffic inbound to an interface

Unanswered Question
Jul 17th, 2008
User Badges:

I'm having problems capturing traffic leaving an interface on a FWSM. It only shows the traffic inbound to the interface. Has anyone found a way to get this working?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Thu, 07/17/2008 - 11:46
User Badges:
  • Gold, 750 points or more

:))

Could you post your capture configuration?

clayton-price Thu, 07/17/2008 - 11:56
User Badges:

Sure. thanks! I know I could use the same ACL, but I'm using two for testing..disregard the reset. I just telnet'd to port 3389. It's the initial ack from 10.50.1.66 etc that's not showing on the JTC-BB interface. The initial SYN is not showing on the ESX-ILO interface etc. Also icmp echo requests will show leaving an interface, just not tcp.


access-list in extended permit ip host 10.50.1.66 any

access-list in extended permit ip any host 10.50.1.66

access-list out extended permit ip host 10.50.1.66 any

access-list out extended permit ip any host 10.50.1.66


capture inside type raw-data access-list in interface JTC-BB

capture outside type raw-data access-list out interface ESX-ILO


FWSM-6003/bastion# sh cap inside

3 packets captured

1: 18:34:23.2310907230 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: S 1500397783:1500397783(0) win 65535

2: 18:34:23.2310907260 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: . ack 4212524028 win 65535

3: 18:34:26.2310909840 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: P 1500397784:1500397786(2) ack 4212524028 win 65535


FWSM-6003/bastion# sh cap outside

2 packets captured

1: 18:34:23.2310907230 802.1Q vlan#234 P0 10.50.1.66.3389 > 10.130.34.226.2645: S 4212524027:4212524027(0) ack 2671557974 win 16384

2: 18:34:26.2310909840 802.1Q vlan#234 P0 10.50.1.66.3389 > 10.130.34.226.2645: R 4212524028:4212524028(0) ack 2671557976 win 0


Actions

This Discussion